Software engineering streams. The process of software development can be said to stream (and perhaps even occasionally torrent) for a variety of reasons, not least of which is its use of real-time data technologies. Programming and development also streams because it is now executed inside so-called Continuous Integration & Continuous Deployment environments for the always-on world of the web and the cloud.
But most of all, software application development streams along because coders get into a “flow state” i.e. that precious in-the-zone mindset when someone is highly productive, essentially focused, singularly determined and often unusually or unexpectedly creative.
AppSec Tightens Software
Keen to help software teams capture this state of mind and exploit its use in complex engineering projects is Qwiet AI, an application security company (the IT industry is fond of the using the label AppSec) which works to provide AI-powered detection tools capable of pinpointing vulnerabilities in code.
Now branding itself as Qwiet AI, the company was formerly known as ShiftLeft, a term that alludes to teams who start testing earlier on the page (further leftwards) than those who leave it until it becomes a project afterthought. Given that the notion of shifting left has today become part of normal software development parlance, the organization decided to adopt the quiet-themed name to convey its mission to reduce the inherent “noise” (i.e. the clatter caused by security and operations requirements coming into battle with the onslaught of daily coding rituals) in the IT department so that software can focus on high-fidelity results that have the greatest impact in their environment.
Now detailing the latest updates to its platform, Qwiet AI says it is working to enable software developers to stay in a positive flow state to keep with the spirit of continuous innovation. The company insists it is heads down on adding capabilities that will keep developers focused on producing code, reducing time wasted on chasing false positives and lower priority issues.
Meaningful Steps
“All cyber attacks start with insecure code,” said Stuart McClure, CEO of Qwiet AI. “Tremendous strides have been made by the industry in identifying vulnerabilities in code earlier in the software development cycle, however addressing these vulnerabilities has historically been a time-consuming process. With AI AutoFix, Qwiet AI is taking the first meaningful step toward eliminating security vulnerabilities as we identify them.”
New from the team this year is the abovementioned AI AutoFix feature. This function uses generative AI to automatically produce a new code suggestion when vulnerabilities are identified and immediately fixed. Clearly (if this all works in practice) this helps reduce time-consuming security fixes and developer fatigue. Perhaps more importantly (and this is the big promise from McClure and team) AI AutoFix is said to transform Qwiet AI’s ability to identify security vulnerabilities as the first step in preventing cyber attacks from ever happening. AI AutoFix provides code fixes that secure and, going further, that are generated based on the context of how an application works and how previous vulnerabilities were fixed… so there appears to be plenty of real world practical applied relevance in terms of how this software tool has been architected.
“AI AutoFix uses Qwiet AI’s patented method of ingesting an application’s code property graph (CPG) for prompt generation, allowing for more accurate, custom fixes for developers and their code,” explained McClure. “The inherently content-rich information provided by a CPG provides complete context into the application’s vulnerabilities, data flow and how the code is structured, revealing critical information on the application’s functional elements and data flow paths.”
What Is A Code Property Graph?
To define a CPG in more exact terms we can think of it as a road map into data flows, vulnerabilities and how developers have written their code. It allows Qwiet AI to understand code holistically from a layered perspective to get development hours back into the team. It enables greater fidelity to find real vulnerabilities instead of false positives. It extends reach to provide a developer-centric view into how the vulnerability was and how a bad actor may reach it. Crucially, it also quantifies the exploitability to provide real-world perspectives on the threat itself out in the wild.
AI AutoFix receives critical context from a customer’s CPG, Qwiet AI’s patented feature that provides a full analysis of vulnerabilities, data flow and even how developers have written their code to provide tailored code fix suggestions. The modular design ensures Qwiet AI customers will always have the best-performing large language model. After running an AI-powered threat detection scan that typically takes 90 seconds, engineers are provided with both a list of vulnerabilities and appropriate code fixes.
Developers: More AI Please
Citing some of its own (independently executed) market survey materials, the company suggests that as many as 94% of developers feel they will need AI security tools to keep pace with the ever-growing threat landscape. Developers currently spend up to a third of their time chasing security vulnerabilities and false positives. The claims here is that, with AI Autofix, what might have taken two to three hours to fix can now be done in under five minutes.
“The integration of AI tools to support developers increases productivity among development teams,” said McClure. “Developers are producing code at a pace faster than ever before and to meet competitive market demands, it is critical organizations incorporate AI-based applications into their application security to ensure new code is secure. The release of AI AutoFix follows Qwiet AI’s momentum in vaccinating the technology industry against security threats through prevention over the traditional approach of detecting and responding to security threats.”
How AI Helps Developers, Actually
Taking stock then, this is very close to where the software industry has been almost teasing us with as the best way to implement artificial intelligence at the coalface of programming and software systems development. That is to say, we don’t need to think about “replacing” coders with AI engines (we don’t have enough of them anyway and that shortage isn’t going away any time this decade and possibly the next), we should be thinking about how AI is going to augment, support and extend developers’ capabilities.
After all, we can say that where AI appears to work best is when it can take away the grunt work and open up channels for human creativity. That’s surely worth breaking the quiet for and making some noise over right?
This post was originally published on the 3rd party site mentioned in the title of this this site